WordPress has released yet another update, this time patching three active and exploitable Cross-Site-Scripting (XSS) flaws, a potential SQL injection flaw alongside six other security-related issues, leaving millions of domains vulnerable to be hijacked.

In a security advisory posted on WordPress.org, the company urges everyone to “update their sites immediately.”

Three of the bugs discovered are related to XSS vulnerabilities while one additional vulnerability exposed the site to a potential SQL injection flaw.

The four other bugs patched were reported by Sucuri’s Marc-Alexandre, Helen Hou-Sandi of the WordPress security team, Netanel Rubin of Check Point and Ivan Grigorox, an active researcher in the HackerOne bug bounty program.

In addition, researcher Mohamed A. Baset disclosed a WordPress flaw that allows attackers to lock targeted posts indefinitely, preventing the owner from being able to make future edits to the active content. Content would be locked from the site owner and authors trying to update the post.

The last bug disclosed was a timing side-channel attack, discovered by Johannes Schmitt of Scrutinizer, allowing potential attackers to analyze the time it took cryptographic algorithms to execute their tasks.

If you manage or operate a WordPress site we urge you to upgrade your site to the latest WordPress 4.2.4 patch, by going to Dashboard > Update and clicking the Update Now button. WordPress’s latest release only patches critical security flaws, meaning any custom changes made to the backend, themes and plugins should remain unaffected.